CVE-2023-49287

Name	CVE-2023-49287
Description	TinyDir is a lightweight C directory and file reader. Buffer overflows in the `tinydir_file_open()` function. This vulnerability has been patched in version 1.2.6.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1059256, 1059257

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
falcosecurity-libs (PTS)	bookworm	0.1.1dev+git20220316.e5c53d64-5.1	vulnerable
	sid	0.15.1-2	fixed
gemmi (PTS)	bookworm	0.5.7+ds-2	vulnerable
	sid, trixie	0.6.4+ds-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
falcosecurity-libs	source	(unstable)	0.14.1-1			1059256
gemmi	source	(unstable)	0.6.4+ds-1			1059257

Notes

[bookworm] - falcosecurity-libs <no-dsa> (Minor issue)
[bookworm] - gemmi <no-dsa> (Minor issue)
https://www.openwall.com/lists/oss-security/2023/12/04/1
https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf
https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d (1.2.6)
https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt
gemmi: https://github.com/project-gemmi/gemmi/issues/292
gemmi: https://github.com/project-gemmi/gemmi/commit/e142eff1fec1475b62b2ab5e88d3a50b4d7450b5 (v0.6.4)
lwip embeds a copy of tinydir, but it's unused, see bug #1059259